Session exclusivity (was Form Double Submit Detection)
Ralph, Does that mean that you can never have exclusive access to your own session? Yes you can, but the only safe way is to synchronize on an object inside the session, not the session itself. Well, not always. Because of threading and memory issues with the JVM, one thread might put something into the session, but another thread cannot see that new data, yet. On the other hand, one thread could be in the process of putting something in the session, and the second thread could think that it's a valid object, when it might not be. (Stupid JVM relativity... :) Does a synchronized block constitute a complete memory boundary? Must the thread sync everything with main memory? I thought it only had to synchronize the data associated with the monitor itself. -chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session exclusivity (was Form Double Submit Detection)
To be honest, I'm not shure. As I'm currently not really using tomcat (or another servlet conainer that works with session facades) I have not thought or tried enough to be shure. For those who want to be very shure, there is still the option to synchronize on something outside of the session. BTW: In my version of tomcat (4.0.3) jasper generates code for the jsp's that synchronizes on the session to access session attributes. Is the current version doing the same ? (Just define a session bean in a jsp and have a look at the source in the work dir ) -Original Message- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 5:37 PM To: Tomcat Users List Subject: Session exclusivity (was Form Double Submit Detection) Well, not always. Because of threading and memory issues with the JVM, one thread might put something into the session, but another thread cannot see that new data, yet. On the other hand, one thread could be in the process of putting something in the session, and the second thread could think that it's a valid object, when it might not be. (Stupid JVM relativity... :) Does a synchronized block constitute a complete memory boundary? Must the thread sync everything with main memory? I thought it only had to synchronize the data associated with the monitor itself. -chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session exclusivity (was Form Double Submit Detection)
Ralph,
BTW: In my version of tomcat (4.0.3) jasper generates
code for the jsp's that synchronizes on the session
to access session attributes. Is the current version
doing the same ?
I'm using 4.1.27 and yes, is does synchronize on the session object that
it gets (I'm only including the relevant parts):
javax.servlet.jsp.PageContext pageContext = null;
HttpSession session = null;
.
.
.
_jspxFactory = JspFactory.getDefaultFactory();
pageContext = _jspxFactory.getPageContext(this, request, response,
null, true, 8192, true);
session = pageContext.getSession();
.
.
.
synchronized (session) {
test = (Object) pageContext.getAttribute(test,
PageContext.SESSION_SCOPE);
.
.
.
}
So, it looks like the Catalina folks feel like the session is okay to
synchronize on, but I agree that one shouldn't bet the farm on a
session being a good monitor.
-chris
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session exclusivity (was Form Double Submit Detection)
As far as I can remember there have been posts in this list, where people said that they have seen different session objects within the same session. This was explained with the fact that there is a session facade which can change anytime. So the session should be a quite weak monitor to rely on. (But as I said, this is not my experience, it's just something I've read) My be it's time for a developer to shed some light on this. -Original Message- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 6:34 PM To: Tomcat Users List Subject: Re: Session exclusivity (was Form Double Submit Detection) So, it looks like the Catalina folks feel like the session is okay to synchronize on, but I agree that one shouldn't bet the farm on a session being a good monitor. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session exclusivity (was Form Double Submit Detection)
At 09:46 AM 10/28/2003, you wrote: As far as I can remember there have been posts in this list, where people said that they have seen different session objects within the same session. This was explained with the fact that there is a session facade which can change anytime. So the session should be a quite weak monitor to rely on. (But as I said, this is not my experience, it's just something I've read) My be it's time for a developer to shed some light on this. The point is not really whether Tomcat does or doesn't give you the same HttpSession facade every time. The point is that this is an *internal* implementation decision that can change at any time. And even if it's never changed for Tomcat, you can't rely on it for other servlet containers. My personal preference (and I've seen the benefits in multiple projects I've worked on), is to *not* rely on objects out of my control for functionality such as this. What happens when you need to put an additional front end on your code to support WebServices, for example -- you still want to rely on any object in the javax.servlet package? Don't think so. If your project is limited in nature, then assume Tomcat and use an object in the session. If you're building a complex, wide application, create your own synchronization framework (or use something pre-built but unrelated to J2EE). It'll give you maximum flexibility when you start to support other appservers, clustering, client types, etc. /soapbox ;) justin -Original Message- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 6:34 PM To: Tomcat Users List Subject: Re: Session exclusivity (was Form Double Submit Detection) So, it looks like the Catalina folks feel like the session is okay to synchronize on, but I agree that one shouldn't bet the farm on a session being a good monitor. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Justin Ruthenbeck Software Engineer, NextEngine Inc. justinr - AT - nextengine DOT com Confidential. See: http://www.nextengine.com/confidentiality.php - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
